Thank you for watching.
Thank you for watching.
Thank you for watching.
Thank you for watching.
And what I want to look at is the first major, probably to be successful, initiative to have an international computer crime law.
Why do we need international computer crime laws?
Because the Internet is an international system.
Because computer crime and crime of all sorts now can cross boundaries.
In the old days, I had to go into the library.
I had to go into the library with the candlestick if I was going to kill Colonel Mustard.
I had to actually physically be there.
And while being there, I could leave behind all sorts of evidence,
from fingerprints to hair samples, eyewitnesses who may have seen me enter the room,
all the way to today, leaving behind DNA.
Now, I can be the criminal in one country.
I can attack a victim in another country.
And the evidence can be strewn in any number of countries and villages.
And the evidence can be strewn between.
And police hate that.
But there is some major obstacles towards developing a uniform theory of what computer crime should be.
And what are those obstacles?
First of all, between, there's a lot of areas of agreement,
which in most of the European nations and in the United States,
we have a consensus as to what should be illegal.
And some of those areas of obvious agreement where there's not a lot of problem for people to say,
yes, I agree, that should be illegal, are, for example, with child pornography,
the destruction of data, data theft.
These are offenses which we can tend to agree ought to be made illegal.
But there are great areas of disagreement.
One of the major areas of disagreement is substantive.
What is or what should be a crime?
And countries don't necessarily agree on this, even in some basic ways.
For example, in the United States, unauthorized access, simple trespass to a computer without permission, is a crime.
Other countries may not have a statute that prohibits that at all,
or when they do have a statute that prohibits it, they may have some added additional things that go with it.
They don't think that simple trespass is a crime.
For example,
in Germany, their unauthorized access computer crime law requires that the person have circumvented some kind of security measure
in order for that trespass to then be unauthorized.
So if you just happen upon the password file in a web server in the United States,
you could be convicted of unauthorized access because you exceeded your authorization when you went to look at this password file.
In Germany, that wouldn't be the case.
The people just left their password file on the web server without any kind of security protection
or means of authenticating permissible viewers, so it wouldn't be a crime under that statute.
So even with something as simple as unauthorized access, we can have a great disagreement.
Another problem is the relative competence or incompetence of local law enforcement officials.
Here in the United States, we've had a lot of effort to try to train our FBI agents
to be up to snuff in the techniques necessary to do a good forensic analysis of computer crime data.
In other countries, they do not have the resources necessarily or the information or the expertise
for them to investigate computer crimes.
In such a way as to necessarily find the proper perpetrator,
or to do it in a way in which it could be used in a court, for example, in the United States,
where you're going to have defense attorneys to challenge that evidence.
There may be somebody who commits an offense in another country,
and the United States is interested in locating and prosecuting that person.
But local law enforcement authorities here may have little or no power to go to another country
where the perpetrator may be located or where the evidence may be located to investigate.
So there's no agreement on what powers one nation has to interrogate, search, seize evidence in another nation.
And nations differ from country to country as to what kind of privacy protections they have
for their Internet users and thus what kind of evidence they can permissibly collect
from an ISP.
And the question is then, can they simply seize evidence from the ISP?
Do they just have to request it?
Do they need a court order or perhaps a warrant?
Or do they need nothing?
Or is there no way for them to obtain that information?
Is it so protected a law enforcement person can't get it at all?
There's the territorial problem with the lack of cooperation
between a local law enforcement agency or one nation's law enforcement agency
and the law enforcement agency of another nation.
We've all seen those movies where the FBI comes in and the local police are mad
because they're on their territory.
Well, that sort of inter-nation rivalry is that many more times worse
when we're not even talking about officials in the same country.
And finally, if we do manage to dispute,
to discover who is the perpetrator of an offense and where they are located,
there are disagreements over whether we have the authority,
one nation has the authority, to bring that person to that country for trial
and whether the home nation is going to extradite that person.
So all of these elements make, at this point in time,
international computer crime difficult to deal with.
Let's look at some examples.
Who's familiar with the I Love You virus case?
Okay, so I won't go into it in too much detail.
A gentleman in the Philippines decided it wasn't fair
that no one in the Philippines could afford internet access.
He thought a good way for people to get internet access
would be to use the accounts of other people and to have their passwords.
So he wrote, as part of his school paper,
a virus that would go out through the internet and it would collect passwords.
This I Love You virus, and it was an email that was titled I Love You,
and of course everybody always hopes that somebody loves them,
so when you would get an email from your friend that said I love you,
you would click on it, open it up,
and what it would do is it would go through all your email addresses,
if you happen to use Microsoft Outlook,
and send itself to all of those people, a note from you saying that you loved them.
There were great complications for corporate networks
as they tried to clean this bug out of their system,
but essentially what it was supposed to do was harvest these passwords and send them home.
Eventually, the United States authorities, with the cooperation of the Philippines,
was able to trace this virus back to a small apartment in Manila
where this gentleman lived with his sister and her boyfriend, I believe,
and eventually, at first they thought it was the boyfriend,
but when this guy's school told the authorities that actually he'd written his graduate thesis paper
on exactly this topic, they realized that it was him.
So corporations here in the United States were claiming millions of dollars of loss
for all the time and effort that they had had to take to clean this virus out of their system
because everybody was getting way too many emails.
And they were eager to prosecute this sort of latter-day Robin Hood.
Now, Robin Hood was a very important person here in the United States,
or in the Philippines, just so long as something happened to him.
But it turned out that the Philippines does not have, or rather did not have,
a law against writing and sending viruses.
So there was nothing to prosecute him for, and this gentleman was set free,
much to the consternation of local authorities here in the United States.
Of course, cases, bad cases always make bad law,
and the Philippines ran out to quickly pass an antivirus law,
which in the long run is a good thing.
But at the time, since there was no law, it couldn't be applied to him prospectively,
and this gentleman, there's no legal recourse.
There's no legal punishment that can befall him.
And that was extremely aggravating to the United States,
but not as aggravating in some ways as the case involving the Russians
because at least in the I Love You virus case, the Philippines was cooperative.
In the case involving these two Russians,
let me just add that because it was not a crime in the Philippines
with the gentleman who wrote the I Love You virus,
he could not then be extradited to the United States for trial here,
even though it is a crime here in the United States.
So nothing could be done.
With the Russians, these were two Russian guys who had stolen a bunch of credit card information,
done some other stuff, but basically stolen a bunch of credit card information
from companies like PayPal, which is an online payment provider.
And the FBI, with some assistance, was eventually able, after a year or so of investigation,
to trace these thefts back to Russia.
They called the Russian authorities and asked them for assistance,
and the Russians simply did not return their telephone calls.
They could not get the Russians to be interested in arresting these two guys.
Not only couldn't they get them interested in arresting the two guys
or interrogating the two guys,
they couldn't get them to even collect any evidence over there from these two guys.
Their requests for assistance were totally ignored,
and the United States has no power to obtain a search warrant
for a computer server that's located in Russia.
Without that information, they couldn't charge them here,
and of course, without the cooperation of the Russian authorities,
they couldn't extradite them here to the United States.
So the FBI came up with a great solution.
They didn't have a social engineering hack.
They didn't have Russian cooperation.
They didn't have any evidence.
And they didn't have great technological expertise.
But what they did do was they set up a fake company in Seattle,
and they called these Russian guys up, and they said,
Hey, we've got this computer security company,
and we think you guys are really good.
We might want to hire you.
Why don't you guys fly here to Seattle for an interview?
That's right.
So these two guys, you know, times are tough.
The economy's bad.
So these two guys flew from Russia to Seattle to go to this company, Invita,
it was appropriately called.
And while they were there, they went through this sort of interviewing process,
and the FBI agents, posing as human resources personnel, said,
Well, you know, show us what you can do, hack into our network.
So the Russian guys sat down at the company computers
and logged into their server in Russia to get their hacking tools that they had stored.
Unbeknownst to them, the FBI had a sniffer running on that system
and captured their username and password.
After they entered that information into the computer, the Russians were arrested,
and with that username and password, the FBI logged onto the server in Russia,
collected that information, brought it over here to the United States, zipped it up,
then went and got a search warrant to open the file that they had downloaded from Russia.
After having obtained it.
The defense attorney in that case did challenge that on Fourth Amendment grounds,
and the judge denied his motion, but I'm sure that it will be appealed.
So with cases like that, there's been an immense interest on the part of international law enforcement
to try to come to some kind of terms of cooperation, some terms of agreement,
so that we don't have these problems that arise in this country.
And that's what we're going to do in the future.
The Council of Europe's Cybercrime Treaty is the most developed and the most advanced of these efforts.
Something of a gleam in the eye of the Hoover Institution only four years ago,
it's now rapidly on its way towards ratification.
And we're going to talk in detail about the provisions of that treaty,
but I just wanted to mention that there has been a lot of international cooperation
in many fields other than...
other than crime lately.
The G-8, which is the eight industrialized nations,
has also been very concerned with cybercrime
and has developed a list of principles which have been incorporated into the Council of Europe Treaty.
We've also seen international treaties on copyright law
and a new one that we're in the process of debating,
which is the Hague Treaty, which is about the enforcement of foreign judgments.
Now, you may remember,
as I said, globalization is the future.
Internationalism is the trend.
And we are looking at a vast effort to homogenize the law across nations,
most often in the way that the United States thinks the law ought to be.
With conventions or treaties like the Berne Convention or the WIPO Treaty,
we're looking at exporting the United States' view of what copyright law is to other nations.
And if you'll remember, it is the WIPO Treaty that brought us
the Digital Millennium Copyright Act.
And I know that that was discussed here at this conference earlier,
so I won't belabor it,
but I think we're familiar with the problems that the DMCA poses
for people doing research for reverse engineering,
for encryption research,
and other important and valuable efforts of that nature.
Basically, Mickey Mouse is getting his way,
and the rest of us are going to have to follow in step.
The Hague Treaty is even more dangerous in many ways.
The Hague Treaty is...
is a treaty that's designed to enforce foreign judgments.
Now, most treaties, and the Council of Europe Cybercrime Treaty I include in this,
want the signatories, the countries that join the treaty,
to change or amend their laws to be in accordance with what the treaty says.
The Hague Treaty is a little bit different in that what it says is,
whatever your law may be,
we're going to respect that here in the other countries that are members of the treaty.
So...
instead of saying,
here's what our basic standards are going to be for the law,
the Hague Treaty says,
hey, if you break the law in this country or that country,
and there's a judgment against you,
we're going to let that judgment be enforced here in the United States.
So if you get sued for defamation or libel or something like that in the United Kingdom,
which does not have the same free speech protections we have here,
and there's a judgment against you,
here in the United States,
we're going to allow that judgment to be enforced.
So this is not about the Hague Treaty.
Perhaps it should be,
and we can talk more about that later.
But the Hague Treaty raises a lot of problems.
And those problems,
basically the problems of differences in values,
differences in procedure,
differences in protections for privacy,
free speech,
and important rights of that nature,
those are problems we're going to see here with cybercrime
and also that are very much issues with the Hague Treaty.
I have a question there.
The question was whether the Hague Treaty prevents our government
from prosecuting us for foreign laws.
And while the Hague Treaty does not prevent that,
here in the United States,
you can be prosecuted under United States laws.
Our government has to enforce our laws.
So the Hague Treaty will not give our government new power
to prosecute for other laws,
but what it will do is it will say that our government has to enforce judgments
in other countries under their laws.
So as I said, if you were sued in the United Kingdom
for insulting McDonald's,
and McDonald's won a judgment against you there,
then the United States government would be a party
or an accomplice to enforcing that judgment against you here,
even though under United States law
your comments about McDonald's would have been protected
under the First Amendment
and not something for which you could have been sued.
Civilly.
Okay?
The gentleman with the white hat?
He is asking who it applies to,
and that's a good question because obviously if it applies to
we certainly don't want judgments from some countries
whose laws are extremely different from ours
to be enforced here.
For example, if you were violated the ankle showing law
in Afghanistan, and now I'm going to get caned,
we certainly wouldn't want that judgment to be enforced against me
here in the United States.
It would be something of a spectacle.
But it's for nations that signed the Hague Treaty
or any of these treaties.
And right now, as with the Cybercrime Treaty,
we're basically looking at the Western Europe nations.
With Cybercrime Treaty, it's the Western European nations
plus the, I forget what they call them right now,
but sort of the friendly observer nations,
the United States, Canada, Japan,
and maybe one other that we're looking at
as inviting to be members of this treaty.
Yes, you.
Okay, so this is a basic jurisdiction question.
And the answer to that is if you do something
from United States soil,
you are subject to United States law,
even if it affects someone outside the country.
If you do something from outside the country
that affects someone on United States soil,
then again, you're probably subject to United States law.
Now, whether you can get here or not,
whether we'll get you here or not
is part of that whole extradition treaty question.
But so the answer is,
well, I'm not a specialist in British law,
I think the answer is the same.
If the server is in the United Kingdom
and people can read it in a Usenet group there,
even though you're located here,
theoretically, you could be subject to United Kingdom law.
However, this is part of the whole problem
or part of the whole good thing about the Internet,
which is that what are they going to do?
I mean, who's going to prosecute you
for something you've done over there?
But also, how can they stop you?
For example, when Yahoo had people
selling Nazi memorabilia across their network,
they're subject to laws in Germany and France
and other nations that prohibit
the selling of that kind of material.
So what are they going to do?
They take that stuff off of Yahoo.fr,
but you can still get that on Yahoo.com,
and a person in France can easily access Yahoo.com.
So that is one of the issues with the Internet.
Are we going to have a basic dumbing down
where all we see on the Internet
is what's palatable to every nation,
the lowest common denominator,
or are we going to see a higher level
of discourse on the Internet
where we don't have those kinds of restrictions?
Yes?
.
Okay, so this is a question
about where the account is located.
And what I'm going to say is this.
There are innumerable what-ifs in this area of the law,
and the law is not certain about any of these things.
What I just said about jurisdiction
is the general principle.
But some of these questions, you know,
we can't really answer because we don't know.
These things haven't happened.
There's no agreement on it.
And what I really want to...
I will take your question and then yours,
but then I want to move on so that I can talk about
what the Council of Europe is trying to do
to address these problems.
Because the way the law is right now
is not necessarily the way the law is going to be in the future.
And I'm happy to take tons of what-ifs after,
but right now I sort of want to begin to move on
through exactly what the law is.
I mean, the jurisdictional problem is huge,
and that's why countries,
countries want to enter into these multilateral treaties
to try to resolve exactly the kind of problems
that this person just raised.
Yes?
Are there any examples
where a country has separate laws for foreigners
than for their own nationals?
It's a question whether there's any country
that has separate laws for foreigners
than for their own nationals,
and I don't know the answer to that.
What I believe I've heard you say
was that if a company makes a judgment
against a great-great-great-great-great country,
and then they can enforce that judgment
via the treaty against the United States
and work a lot of that judgment,
then we're effectively allowing foreign governments
to supersede the Constitution
by writing free speech,
by writing it as a procedure,
by writing it as a fair trial,
et cetera, et cetera.
That's what I believe I just heard you say.
The question was,
isn't the Hague Treaty, as I described it,
something that allows international law
to override,
our domestic protections for free speech
and rights of that nature?
And the answer to that is yes,
and that's one of the reasons
why people are so concerned
about the Hague Treaty.
Well, the treaty is not...
The Hague Treaty is in its early stages,
and one of the reasons why I mention it
is because you'll see
as we go through the provisions
of the Cybercrime Treaty
that there have been a lot of lobbying efforts on...
There has been a lot of lobbying efforts
on the part of...
computer security professionals,
encryption researchers,
and people of that nature
to try to change
the European Cybercrime Treaty
and make it more palatable.
And the same thing needs to be done
with the Hague Treaty.
The Hague Treaty either needs to be amended
from where it stands now
or it needs to be killed.
Richard Stallman wrote a great rant
about why the Hague Treaty is bad,
and I recommend that people take a look at that
and think about, you know,
what we can do in order to
either ameliorate the downsides
of these international laws
or kill them altogether.
And let's take a look
at how that happened
in the process of negotiating
and arguing about
the European Cybercrime Treaty.
Okay.
The treaty is currently
in its final draft form.
You can look at what the treaty says
at that URL that I have up there.
And the treaty is, as I said earlier,
one of these types of documents
that requires the member nations,
the signatories,
to amend their or to pass local laws
that will make them in concurrence
or in agreement
with all the other signatory nations.
They have to pass new laws
that will agree with the provisions
of the treaty.
And the treaty has three basic areas
in which agreement is,
in which we agree to agree.
One is the substance,
that we need to have
a substantive consensus.
We agree on what is a crime.
We amend our laws
to make sure that everything
that's in the treaty
that they say should be a crime
is a crime in the United States.
And not just in the United States,
but in all the member nations
of the Council of Europe.
Second is a procedural consensus,
that we agree that there are processes,
whatever those processes may be,
for the retention of data
and the collection of evidence
and then the disclosure
of that information
to local law enforcement.
And finally,
the third thing is
the international cooperation aspect.
If local law enforcement
can collect the evidence,
then local law enforcement
can turn it over
to the law enforcement agents
of other nations,
the nations where,
for example, the crime
may have had its worst effect.
You want to see the site?
Oh, I'm not sure
if it's on Lexis, actually,
so I don't really know
where that would be.
I don't know where it would be on Lexis.
I know that's where it is on the web.
Sorry.
Okay, so here we have
a little picture of our hero
from the I Love You Virus case.
And he's representing everything
that we're going to now agree
is going to be illegal.
First, illegal crime
is illegal access.
Illegal access meaning
access without right.
Initially, this law required
every signatory nation
to make illegal access,
simple trespass,
or exceeding authorized access,
illegal, just as it is
here in the United States.
With lobbying from other nations,
the illegal access provision
now allows variations
on that theme
as per the law
that already exists in Germany.
They now allow you
to require
that there be some kind
of damage first,
or that some security measure
have been circumvented
or something like that.
That was the result of lobbying.
We have illegal interception of data,
wiretap or sniffing.
Data interference, stealing data,
erasing data, altering data,
that sort of thing.
System interference,
denial of service.
Misuse of devices.
This is very controversial
and was formerly a provision
called illegal devices,
which controls the development,
possession and use of hacker tools
like scanners, exploits,
password crackers,
anything that is primarily designed
to do the first four.
Illegal access, interception,
data interference
or system interference.
Computer related forgery.
Computer related fraud.
Child pornography.
And those are basically things
that we traditionally think of
as criminal offenses.
Kim?
Oh, wait.
Hold on just a second.
Kim?
The question was about
the misuse of devices provision
and we're going to talk about that
kind of in detail later
and then if I don't answer
your question,
please do ask it again.
Who was the other person
who wanted to?
Oh, okay.
So now we get into a new kind of crime,
maybe not here in the United States
but for most of these places,
copyright.
This treaty would require
the signatory nations
to criminalize copyright.
In the United States
up until not that long ago,
copyright offenses were generally
treated as a civil matter.
Now they're treated as a criminal matter.
And what this treaty would do
is it would require other nations
to also create copyright laws
that are punished criminally.
Now I know that most of you
probably know this,
but the difference between
a civil case and a criminal case
is a civil case is where
somebody sues you for money.
A criminal case is where
the government pursues you
to take away your liberty
and you go to jail.
And the treaty specifically states
that member nations must pass laws
that make you go to jail
for copyright infringement.
There's also provisions
for aiding and abetting,
corporate liability,
and as I said,
these all are,
laws that the signatory nations
not only must pass,
but also must punish
with a potential sentence of imprisonment.
The gentleman in the back
who changed his mind
and wants to ask his question again.
The question is,
does this imply only to copyright infringement
like copying of songs on Napster
or something of that nature?
Does it also apply to purchasing
or even producing counterfeit items
like fake Levi jeans
or something of that nature?
And basically the answer is
it would apply to all those kinds of things
if they happened in the signatory nations.
Anything that is a copyright infringement
under the Berne Convention
or the white boat treaty
or any of a number of other
international copyright treaties.
The question is,
what does illegal access mean?
And I ask myself that
pretty much every day.
Under the,
I'm not kidding.
Pretty much,
at this point in time,
each country certainly has
its own hacker laws.
And,
whether those laws
prohibit illegal access
or don't prohibit illegal access,
require you to have circumvented
some security measure or not,
they're all over the map.
The idea behind this treaty
is to make everybody agree
within reason.
They have had to make some concessions
because of lobbying
and because of differences
between countries.
But the basic idea
is to get everybody
in the Council of Europe
plus some other big nations
like the United States
to all agree on the same definition,
essentially the same definitions
of crimes.
Yeah?
I can't really hear your question.
I'm sorry.
The question is,
what if United States
intelligence organizations
attack something
in one of the treaty countries?
Does that then become illegal?
I asked myself that question
when thinking about
the Russians' case.
I mean, here we have
FBI agents,
they sniffed the network,
okay, it was their own network,
maybe that's okay,
maybe it's not.
But then they used a password
which they knew was not their own
to gain unauthorized access
to a server located in Russia
and to take data from that server.
And I thought to myself,
that sounds pretty much
like a violation
of United States law.
In the United States law,
there's a provision that says
that law enforcement agents
can do stuff like that
if they have legal authority.
Of course, they didn't have
a warrant or anything
and we don't really know
what the legal authority
necessarily would look like there.
But, you know,
it sounds to me like
it's arguably an 18 U.S.C. 1030 violation.
Of course, we don't see
the Department of Justice
going after these FBI agents
to prosecute them.
So my answer to you is that
there will still be some variations
between the laws
of the member nations
and we still have possibly provisions
that say that
there's an exception
for law enforcement
or something of that nature.
And that even though
that exception for law enforcement
may or may not apply
because it doesn't seem
like they got legal authority,
law enforcement may still go ahead
and do stuff like that.
And the answer is
we don't know the answer
because that's the beauty
of the Internet.
It's still too young for us
to really have everything nailed down.
So it's a good question
and a complicated answer.
I'll take that gentleman in the back.
Uh-huh.
.
Okay, did everybody hear that?
Okay.
.
Yes.
I mean it's a ...
.
.
Oh, now it's
all broken down.
Okay.
.
.
.
All right.
So those are the, I'm going to go without that then.
Those are the substantive rules that need to be, that signatory nations need to agree on.
There's also procedural rules that the nations need to agree on.
And those procedural rules are basically about the collection of data and the preservation of data
so that we can have evidence collection by local law enforcement, at least,
which will lead us up to the third provision, which is that once local law enforcement collects this data,
we're going to go and hand it over to foreign law enforcement agents.
So first, there are procedural rules that require system administrators
to preserve data.
Preserve stored computer data, computer data, up to 90 days upon request.
And that that 90-day period can be extended if further requested.
System administrators must be able to, there must be laws that require system administrators
to preserve traffic data and to disclose that data to law enforcement agents.
So I put a little picture of a computer server here because one of the great complaints
that I've seen in the last couple of years is that a lot of people are saying,
these provisions have had.
And one of the powerful lobbying efforts made against these provisions was by ISPs who said,
look, we don't have the resources to store all this information for you all the time.
This is a great financial burden on us, and we simply can't do it.
And the Council of Europe as a whole has generally disregarded that complaint on the part of the ISPs.
Could you just say one more question?
Right, not all data.
It is upon request.
And actually, that's a very good question and something that we'll talk about a little while later.
There have been some amendments to these provisions to make them a little more palatable.
In fact, the treaty does say that it is upon request,
but countries can still require whatever legal process they need before this information is disclosed.
So if the United States still requires a court order or a warrant to get certain information, that's okay.
Generally, that's interpreted, the treaty is interpreted as not conflicting with already existing United States privacy protections.
However, the treaty does not impose requirements on other signatory nations to have or to institute privacy protections at all
before this type of information is turned over.
So if nations want to have privacy protections, they still can, but there's no encouragement or inducement for them to do so.
Yes?
When we're talking about the financial version of the ISP, does that make sense?
If it goes beyond that, I work with a system that it was mutually impossible to get that in.
I work for a free email service for a long time, and we actually talked about that in one group,
and we were ever asked to somehow get people's emails, but we would not have been able to do it.
It was technically impossible.
So is this something?
If you have a free email like that, does that mean that you're screwed?
Do you have to include your central system, or does that mean that there's going to be exceptions for systems that are outside of that?
Okay, that's an excellent question and an excellent follow-up to the point that the gentleman over here made.
And this was one of the major battles in this treaty,
the question of whether or not ISPs or other service providers could be forced to construct their technology
in such a way as to allow for...
...this type of recording of data and surveillance.
And there was great concern about this because in the United States, we had passed a law that we call CALEA,
which many of you may be familiar with.
And CALEA basically was a law that required telecommunications providers to have technological capabilities
within their systems that permitted law enforcement eavesdropping, that facilitated law enforcement eavesdropping.
And when this treaty was being negotiated,
people were very concerned that these provisions about procedural data collecting
were another kind of CALEA for the ISPs, for the data,
that had to do not with telecommunications but with data communications.
And through great efforts at lobbying, the treaty has added a provision that says
that this type of data collection has to be within the technological capabilities of the ISP,
and that there's not a CALEA-type provision in here that requires ISPs or remailers or that sort of thing
to enable this type of evidence collection or surveillance.
Many people feel that those provisions, as they now stand in the treaty, are not strong enough,
but there is that language in the treaty and the notes that explain what the Council of Europe was thinking
when they were writing this thing, which I also often ask myself.
So I think there's some, a lot of high-level people actually say that they specifically do want to avoid this,
what is called the CALEA problem.
So thanks for that question.
Search and seizure is another issue.
Yes?
Will ISPs be prohibited from informing customers when these requests are made?
The question is, will ISPs be prohibited from informing customers when these requests are made?
And the answer is that, yes.
There are provisions in this treaty that say that you cannot have ISPs.
There has to be a way to hide the fact of this investigation from the customer.
Now, what the parameters of that provision are, I'm not totally familiar with,
but I have a copy of the treaty with me, and we can look it up.
So if you want to come up after, and people who are interested in the nuances of that question,
we can look that up in the treaty and see if it's possible for us to decipher what, in fact, it might mean.
Search and seizure is an issue.
And the main question with search and seizure was a problem with trans-border searches.
Are we going to let law enforcement agencies from France or Britain or other countries
come into the United States and search our computer servers here?
Basically, the way that that problem was resolved was to say, no, we're not going to allow that.
But what we are going to allow is we're going to enable local law enforcement to do searching,
and then we're going to have local law enforcement promise that they're going to cooperate.
One part of this search and seizure provision is that,
that the law enforcement, there should have to be laws passed,
which allow law enforcement to order a person with knowledge about the system
or about the data protection measures to provide the ability to search, seize, or copy the data.
So we're going to talk about that a little bit, but just think about that for a second.
I'm sorry?
Can you provide a difference from enablement?
Is provide different from enable?
You should be a lawyer, because that's a good question.
I mean, we don't know.
Basically, what that provision has been interpreted as meaning is that it is a challenge or a danger or a threat
to encryption rights in countries, that the person who's protected his data or her data with an encryption key
would then have to be able to provide the ability to law enforcement to search that data,
meaning that they may have to turn over their key.
And that butts up directly.
So that's a problem that we're going to have to deal with here in the United States.
So whether provide means enable, I don't know.
But if you're asking me whether that means that encryption rights are threatened, the answer is yes.
The question is, does the treaty say that the authorities can go back to the person
whose data they're protecting?
It is, and command him to decipher it for them.
And that is what the treaty looks like it says.
That is what the treaty looks like it says, and it is a source of great concern.
The treaty allows data interception.
It requires signatory countries to pass laws that will force service providers to do real-time collection of traffic data
and to cooperate with authorities when they do real-time collection of traffic data.
And as we talked about earlier, because of the good question,
the first issue that we have is that there's a problem within the system that is in the service provider's existing technical capacity.
So there's no CALEA problem.
They're not required to build snooping into their system,
but they do have to cooperate with data intercepts,
just as the telecommunications companies do here when they're given a wiretap order.
There are...
And the final essence of all of this is that once the signatory nations pass the laws
that state what is a crime, and we all agree on what's a crime,
and once the signatory countries pass laws that say data collection can happen
and here's how data collection will happen,
then they all agree that they will then exchange that data.
That's the essence of the treaty and how these international problems are to be overcome.
And these jurisdictional questions, that's the cooperation problem and added
to that is a definition of jurisdiction, where a nation has jurisdiction is defined
as on their territory, on one of their ships, on one of their aircraft.
And once we have this agreement that the nations have jurisdiction and that we have agreements
about all these crimes, we can agree on extradition.
Because usually we don't have extradition unless the offense is a crime in both nations.
Now it's a crime in both nations, so we agree that we extradite.
It requires both.
First that it's punishable by both parties, but also that it be an offense that is punishable
by more than one year.
And an offense that's punishable by more than one year is a felony,
by less than one year is a misdemeanor.
That's the essential difference.
Okay. So consensus can be bad.
Why? Because we don't have a laboratory approach where we can see a lot of variations
in the ways that different computer crime laws,
can help or hurt computer security.
We also are heading towards a situation where we have a substantive agreement on these laws
without having any greater agreement on human rights, on free speech, on due process,
or on any of these things, which could result not only in injustice in those other countries,
but it results in our law enforcement agents and our country and our tax dollars being spent
to pursue or prosecute cases in other countries that would never be pursued
or prosecuted here because of these rights.
Now, of course,ruit is protracted, if it will
be protected, by far.
whether it's designed for authorized testing or designed for hacking.
A hacking tool looks very much like a security tool.
In fact, they're often the same tools.
So because of great pressure from countries, from encryption experts,
and from researchers in different countries, that provision is now one that you can opt out of.
However, I think we can look.
I think the trend of the future is that we're going to have to be battling a lot of laws that prohibit hacker tools.
The Australian government is considering now a law which would just ban all hacker tools
without these exceptions for computer security research.
Child pornography, you wouldn't think it's controversial, but it is.
This treaty will export the United States definition of child pornography,
which includes not only actual child porn, but virtual child porn,
pornography in which no children were harmed, but which appears to be a visual depiction of a child.
At the very least,
this treaty requires that the virtual child porn be a picture.
In the United States, that's not a requirement.
And I read in the New York Times two days ago that somebody was sentenced to prison for 10 years
for a written depiction of child pornography.
We talked about all of this.
So what's the bad news about the Cybercrime Treaty?
It's serious.
Are there any lawyers involved in this entire process?
Are there what?
Are there any lawyers involved in this entire process?
The question is, were there any lawyers involved in this process?
And I think that the answer is clearly that there were too many lawyers involved in this process.
I just want to stop you for a second before we move on,
because that virtual porn thing has implications far beyond any kind of Internet, PBS, kind of, you know,
whatever.
Wouldn't it affect potentially,
legitimately,
Hollywood films in which two actors under the age of 18 are playing the role of teenagers involved in sexual activity?
Resulted in that in the release of The Traffic, which ironically had a cameo by
a good colleague, Mr. Hatch, who played himself.
Endless love that hides a rich, long line where you're led to believe that the characters are under the age of 18.
The question is whether the child pornography law
has implications far beyond the limited ones that I said.
And before I answer that question, I want to ask whether I have till 12 or 12.30.
Does anybody know?
Okay.
Well, my answer to that, then, is yes, it does.
I want to go back here.
Oops.
Oh, now I've messed it up.
I am going to make the slides available.
Yeah, I will make them available on DEF CON.
As you can see, I mean, with the child porn thing, that little picture there is the picture from Lolita.
That's the picture from Lolita, which was, you know, one of the classic, it's a classic, and also child porn.
So child porn is, it's very controversial.
Most people think, oh, you know, it's a black and white issue, but there are lots of complicated legal issues in it,
just like with the movie Endless Love and that sort of thing, which you raised.
Okay.
So,
you saw the bad news, and I will make that available, but the question is, what can I do?
And I don't want to leave you on the low point, where you all feel like, man, that treaty really sucks.
We're in for something really bad.
So what can I do?
Lobbying works.
Okay.
I've raised many points and pointed out numerous times where lobbying by nations, by researchers,
by encryption advocates have resulted in modifications being made to the treaty that have made the treaty better.
So lobbying does work, and it's not too late.
So I urge everybody who has interests in these issues, and that does appear to be everybody in this room,
since you came here and you stayed for the entire hour on this early Saturday morning,
to get educated about these issues.
Sunday morning.
See, I'm the one with the problem.
And I've listed a couple of URLs here for organizations which have been heavily involved in trying to make the cybercrime treaty better
and to try to make sure that rights are protected, that our rights and the rights of people in those communities
other nations are protected in the treaty.
So get out there and do some good.
Thank you very much.
